23019017 clone archives should remove sensitive puppet configuration data
authorPatrick Einheber <patrick.einheber@oracle.com>
Thu, 22 Sep 2016 07:45:05 -0700
changeset 6958 864721a3146f
parent 6957 ff86c93b1c69
child 6959 858b3764bcdd
23019017 clone archives should remove sensitive puppet configuration data 23606517 mcollective default psk setting should be changeme
components/ruby/mcollective/patches/01-mco-client-config.patch
components/ruby/mcollective/patches/02-mco-server-config.patch
components/ruby/puppet/puppet.p5m
--- a/components/ruby/mcollective/patches/01-mco-client-config.patch	Sun Sep 18 10:50:41 2016 -0700
+++ b/components/ruby/mcollective/patches/01-mco-client-config.patch	Thu Sep 22 07:45:05 2016 -0700
@@ -3,12 +3,13 @@
     The default port used to connect to RabbitMQ is 61613
     Default user : 'mcollective' & passwd : 'changeme'
     Change RabbitMQ to log to /dev/stderr, so it goes to the SMF log
+    Set the PSK type explicitly to UID and the default to 'changeme'
 
 NOTE : This patch is developed in-house (and Solaris specific)
 
---- marionette-collective-2.8.8/etc/client.cfg.dist.orig	2016-04-20 09:42:43.785159244 -0700
-+++ marionette-collective-2.8.8/etc/client.cfg.dist	2016-04-20 12:07:58.755907466 -0700
[email protected]@ -1,19 +1,26 @@
+--- marionette-collective-2.8.8/etc/client.cfg.dist.orig	2016-09-19 08:51:01.733783224 -0700
++++ marionette-collective-2.8.8/etc/client.cfg.dist	2016-09-19 08:51:34.482722348 -0700
[email protected]@ -1,19 +1,27 @@
 +#######################################################################
 +# Oracle has modified the originally distributed contents of this file.
 +#######################################################################
@@ -25,7 +26,9 @@
  
  # Plugins
  securityprovider = psk
- plugin.psk = unset
+-plugin.psk = unset
++plugin.psk = changeme
++plugin.psk.callertype = uid
  
 -connector = activemq
 -plugin.activemq.pool.size = 1
--- a/components/ruby/mcollective/patches/02-mco-server-config.patch	Sun Sep 18 10:50:41 2016 -0700
+++ b/components/ruby/mcollective/patches/02-mco-server-config.patch	Thu Sep 22 07:45:05 2016 -0700
@@ -3,12 +3,11 @@
     The default port used to connect to RabbitMQ is 61613
     Default user : 'mcollective' & passwd : 'changeme'
     Change RabbitMQ to log to /dev/stderr, so it goes to the SMF log
-
-NOTE : This patch is developed in-house (and Solaris specific)
+    Set the PSK type explicitly to UID and the default to 'changeme'
 
---- marionette-collective-2.8.8/etc/server.cfg.dist.orig	2016-04-20 12:36:27.556854540 -0700
-+++ marionette-collective-2.8.8/etc/server.cfg.dist	2016-04-20 12:37:10.186932498 -0700
[email protected]@ -1,7 +1,13 @@
+--- marionette-collective-2.8.8/etc/server.cfg.dist.orig	2016-09-19 08:51:05.719526817 -0700
++++ marionette-collective-2.8.8/etc/server.cfg.dist	2016-09-19 08:51:49.506159302 -0700
[email protected]@ -1,20 +1,28 @@
 +#######################################################################
 +# Oracle has modified the originally distributed contents of this file.
 +#######################################################################
@@ -24,9 +23,11 @@
  loglevel = info
  daemonize = 1
  
[email protected]@ -9,12 +15,13 @@
+ # Plugins
  securityprovider = psk
- plugin.psk = unset
+-plugin.psk = unset
++plugin.psk = changeme
++plugin.psk.callertype = uid
  
 -connector = activemq
 -plugin.activemq.pool.size = 1
--- a/components/ruby/puppet/puppet.p5m	Sun Sep 18 10:50:41 2016 -0700
+++ b/components/ruby/puppet/puppet.p5m	Thu Sep 22 07:45:05 2016 -0700
@@ -1341,8 +1341,10 @@
 file path=usr/share/man/man8/puppet-secret_agent.8
 file path=usr/share/man/man8/puppet-status.8
 file path=usr/share/man/man8/puppet.8
-dir  path=var/lib/puppet owner=puppet group=puppet mode=0755
-dir  path=var/log/puppet owner=puppet group=puppet mode=0755
+dir  path=var/lib/puppet owner=puppet group=puppet mode=0755 \
+    revert-tag=system:clone=*
+dir  path=var/log/puppet owner=puppet group=puppet mode=0755 \
+    revert-tag=system:clone=*
 license puppet.license license="Apache v2.0"
 
 # globally applicable low level puppet modules we provide